Alias /repo/ /srv/cache/lookaside/

# default SSL configuration...
Listen 443

SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300

Mutex default

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

# SSL host
<VirtualHost _default_:443>
    # This alias must come before the /repo/ one to avoid being overridden.
    ScriptAlias /repo/pkgs/upload.cgi /srv/web/upload.cgi

    Alias /repo/ /srv/cache/lookaside/
    ServerName pkgs.fedoraproject.org
    ServerAdmin webmaster@fedoraproject.org

    SSLEngine on

    SSLCertificateFile    conf/pkgs.fedoraproject.org_key_and_cert.pem
    SSLCertificateKeyFile conf/pkgs.fedoraproject.org_key_and_cert.pem
    SSLCACertificateFile  conf/cacert.pem
    SSLCARevocationFile  /etc/pki/tls/crl.pem

    SSLCipherSuite RSA:!EXPORT:!DH:!LOW:!NULL:+MEDIUM:+HIGH

# Must be 'optional' everywhere in order to have POST operations work to upload.cgi
    SSLVerifyClient optional
# Must be here for POST operations to upload.cgi
    SSLOptions +OptRenegotiate
    ErrorLog logs/ssl_error_log
    CustomLog logs/ssl_access_log \
         "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%{SSL_CLIENT_S_DN_OU}x\" %{SSL_CLIENT_S_DN_CN}x %{SSL_CLIENT_S_DN_emailAddress}x \"%r\" %b"

   <Directory /repo/pkgs/>
       SSLVerifyClient optional
       SSLVerifyDepth 1
       SSLOptions +StrictRequire +StdEnvVars +OptRenegotiate
        # require that the client auth cert was created by us and signed by us
       SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
                  and %{SSL_CLIENT_S_DN_O} eq "Fedora Project" \
                  and %{SSL_CLIENT_S_DN_OU} eq "Fedora User Cert" \
                  and %{SSL_CLIENT_I_DN_O} eq "Fedora Project" \
                  and %{SSL_CLIENT_I_DN_OU} eq "Fedora Project CA" )
   </Directory>

   <Location /repo/pkgs/upload.cgi>
       SSLRequireSSL

       SSLVerifyClient optional
       SSLVerifyDepth 1
       SSLOptions +StrictRequire +StdEnvVars +OptRenegotiate
       # require that the access comes from internal or that
       # the client auth cert was created by us and signed by us
       SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
                  and %{SSL_CLIENT_S_DN_O} eq "Fedora Project" \
                  and %{SSL_CLIENT_S_DN_OU} eq "Fedora User Cert" \
                  and %{SSL_CLIENT_I_DN_O} eq "Fedora Project" \
                  and %{SSL_CLIENT_I_DN_OU} eq "Fedora Project CA" )
    </Location>

</VirtualHost>

